CVE-2025-15577 is a path traversal vulnerability identified in Valmet DNA Web Tools, a software suite used primarily in industrial automation and process control environments. The vulnerability stems from improper limitation of pathname to a restricted directory (CWE-22), allowing an unauthenticated attacker to manipulate URL parameters to access arbitrary files on the server. This flaw affects Valmet DNA Web Tools versions C2022 and older. The vulnerability does not require any authentication or user interaction, making it highly accessible to remote attackers. The CVSS 4.0 base score is 8.7 (high), reflecting the vulnerability's network attack vector, low complexity, no privileges required, and no user interaction needed. The impact is primarily on confidentiality, as attackers can read sensitive configuration files, credentials, or other critical data stored on the server. The vulnerability has not yet been observed exploited in the wild, and no patches or official mitigations have been published at the time of disclosure. Given the critical role of Valmet DNA Web Tools in industrial control systems, exploitation could lead to significant operational risks if sensitive information is disclosed to adversaries. The vulnerability was assigned by NCSC-FI and published on February 12, 2026.

The primary impact of CVE-2025-15577 is unauthorized disclosure of sensitive information due to arbitrary file read access. Attackers can potentially access configuration files, credentials, logs, or other sensitive data stored on the affected server, which could facilitate further attacks such as privilege escalation, lateral movement, or disruption of industrial processes. For organizations relying on Valmet DNA Web Tools in critical infrastructure sectors like energy, manufacturing, and utilities, this could lead to operational disruptions, loss of intellectual property, and regulatory compliance violations. The lack of authentication and user interaction requirements significantly increases the risk of exploitation. Although no active exploits are known, the vulnerability's presence in industrial control system software raises concerns about targeted attacks by nation-state actors or cybercriminals aiming to disrupt critical infrastructure. The scope of affected systems is limited to installations running vulnerable versions of Valmet DNA Web Tools, but given the strategic importance of these systems, the impact could be severe in affected environments.

1. Immediate mitigation should focus on restricting access to Valmet DNA Web Tools interfaces by implementing network segmentation and firewall rules to limit exposure to trusted networks only. 2. Deploy web application firewalls (WAFs) with custom rules to detect and block path traversal attempts in URL parameters. 3. Apply strict input validation and sanitization on all URL parameters to prevent directory traversal sequences such as '../'. 4. Monitor logs for unusual file access patterns or repeated attempts to access sensitive files. 5. Coordinate with Valmet for official patches or updates addressing this vulnerability and apply them as soon as they become available. 6. If patching is delayed, consider disabling or restricting access to vulnerable web tools temporarily. 7. Conduct security audits and penetration testing focused on web interface vulnerabilities to identify and remediate similar issues proactively. 8. Educate operational technology (OT) and IT teams about this vulnerability and the importance of layered security controls in industrial environments.